Skip to Main Content

REDCap - Research Compliance

REDCap is a secure web application for building and managing online databases and surveys.

Institutional Review Board (IRB)

"Institutional policy and federal regulations require review and approval by the PCOM IRB of ALL research activities conducted at PCOM or other institutions by PCOM faculty, students, and staff involving human subjects PRIOR to their involvement. This applies to all faculty and staff research, as well as all student-originated research, including research to satisfy the requirements of master's and doctoral degrees. Institutional policy also requires PCOM IRB review and approval of proposed research by those outside of PCOM who wish to recruit participants at PCOM for research conducted elsewhere. Complete PCOM IRB Rules and Regulations are housed in BlackBoard and accessible by PCOM faculty."

If your answer is yes to any of the following three screening questions, then your REDCap project requires IRB approval.

  1. Will the results be presented at a meeting, conference, symposium, etc.?
  2. Will the results be published in a peer-reviewed journal?
  3. Will the results be shared in a format that will allow others to apply your findings to their setting?

PCOM - Division of Research. (2018). Philadelphia college of osteopathic medicine institutional review board policies and procedures. Philadelphia, PA: PCOM. Retrieved from

Protected Health Information

To be compliant with HIPAA, the following protected health information must be removed:

  • Names
  • Geographic subdivisions smaller than a state
  • All elements of dates (except year) related to an individual (including admission and discharge dates, birthdate, date of death, all ages over 89 years old, and elements of dates (including year) that are indicative of age)
  • Telephone, cellphone, and fax numbers
  • Email addresses
  • IP addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Device identifiers and serial numbers
  • Certificate/license numbers
  • Account numbers
  • Vehicle identifiers and serial numbers including license plates
  • Website URLs
  • Full face photos and comparable images
  • Biometric identifiers (including finger and voice prints)
  • Any unique identifying numbers, characteristics or codes

For further information on de-identification of protected health information by expert determination see 45 CFR § 164.514(b)(1).

Source: "De-identification of Protected Health Information" HIPAA Journal. 2018.

E-Consent FAQ

Is REDCap HIPAA compliant? Is it 21 CFR Part 11 compliant?

The PCOM REDCap system is maintained in a HIPAA-compliant environment. If you are subject to 21 CFR Part 11, you may want to double-check with your sponsor or other oversight to confirm if Part 11 compliance is applicable to the potential REDCap component of your work. In many cases, FDA-type projects need 21 CFR Part 11 compliance only when the electronic data capture system is considered the SOURCE document. This is frequently not the case because the data originally exists elsewhere - paper or electronic medical record. So you may find that a HIPAA-compliant environment is sufficient.

What do I have to include on an e-consent? Are there specific questions or field types that I have to use?

PCOM's IRB materials reside in BlackBoard in a folder called "Research Compliance - IRB/IACUC". Please coordinate closely with your IRB team to learn about what they require for your specific protocol.

We recommend exploring all the options in both REDCap and with your study oversight to determine which REDCap features are most applicable to your work. Your oversight/governing bodies certainly have the final say in what they consider ‘valid’ – e.g. yes/no fields, typed vs. signed names. You can use REDCap’s features to build your e-consent form however you (and they) wish.

Is there a question type for people to electronically sign their name?

REDCap does have a field type that allows people to write their signature with a mouse, stylus, or finger (depending on what type of device they use to access REDCap). When in the Online Designer, if you add a new field, you’ll be prompted to choose a field type. The ‘Signature’ field type is just over half-way down the list.

Do I have to use a signature field? Or can people just type their name to sign the consent?

The 'signature' field type is sometimes considered comparable to a ‘wet signature’ by some IRBs. Depending on what regulations folks are subject to, sometimes text box fields can also be used for signatures. For example, some protocols consider typing in the name (using a regular text box) as legally-binding. You must contact your IRB to learn about what they require for your specific protocol.

Guide Information

Last Updated: Jun 10, 2024 2:21 PM